[Oisf-users] Malware detection trough Mail how?

rmkml rmkml at yahoo.fr
Fri May 8 16:49:13 UTC 2015 

Hi Nick and Jay,

Yes Jay you are right, if smtp network traffic is encypted: suricata failed ;)


but if your smtp network traffic is not encrypted, please test with this sig:

alert tcp any any -> any 25 (msg:"SMTP base64 Eicar antivirus test file attempt"; flow:to_server,established; 
content:"WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFO"; classtype:attempted-user; sid:1; rev:1;)

Warn: only work with smtp base64 mime encoding.
Don't forget enable or not cksum on suricata.yaml.

perl -e 'use MIME::Base64;print decode_base64("WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFO"),"\n";'
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-AN


Don't forget enable smtp on suricata.yaml in last Suricata v2.1beta4:
app-layer:
  smtp:
   enabled: yes
   mime:
    decode-mime: yes
    decode-base64: yes
    decode-quoted-printable: yes
    header-value-depth: 2000
    extract-urls: yes
   inspected-tracker:
    content-limit: 1000
    content-inspect-min-size: 1000
    content-inspect-window: 1000

But base64 decoding not work for me on my small test in last Suricata v2.1beta4.


Another is enabling all sigs in smtp-events.rules:
  alert smtp any any -> any any (msg:"SURICATA SMTP.......

Any comments is welcome.

Regards
@Rmkml

http://www.eicar.org/86-0-Intended-use.html


On Fri, 8 May 2015, Jay M. wrote:

> You would need to sniff and often decrypt traffic somewhere between
> the Internet and your mail gate. Encryption usually hinders this
> process, and if you have a tap in place already, this is probably way
> you aren't seeing anything. Ideally your mail gate would have AV and a
> plethora of filter options to address e-mail malware.
>
> --
> Jay
> jskier at gmail.com
>
>
> On Fri, May 8, 2015 at 8:11 AM, Nick de Bruijn <nick_hyves at hotmail.com> wrote:
>> Hello all,
>>
>> I can't figure out how I could use Suricata to detect malware.
>>
>> I want Suricata to detect malware sent in email attachments.
>>
>> Could someone explain me how I can do this?
>>
>> Now when I sent myself an EICAR file, Suricata doesn't recognize it.
>>
>> I would very much appreciate the help!
>>
>> Kind regards,
>> Nick

More information about the Oisf-users mailing list